15.05.2017, 21:40, "Андрей Василишин" <[email protected]>: > Привет всем! > В связи с поголовной sslзацией Интернета пришла очередь и до > mp4-стримминга. И вот Вчерашний тест показал, при 15к коннектах уже > начало потихоньку упираться в проц и в пике было 32 Гбит/с трафика. > Сегодня без ssl при тех же 15к коннектах 40 Гбит/с трафика и проц > гуляет. Может нчто-то где-то надо подтюнить в конфиге?
Поставить в качестве предпочитаемых шифров null и rc4, все равно это шифрование для галочки > Конфиг ssl ниже: > > listen 443 ssl; > add_header Strict-Transport-Security "max-age=0;"; > # add_header Strict-Transport-Security "max-age=31536000; > includeSubDomains" always; > # ssl on; > ssl_certificate /etc/nginx/ssl/site.com.crt; > ssl_certificate_key /etc/nginx/ssl/privatekey.key; > ssl_trusted_certificate /etc/nginx/ssl/site.com.crt; > # должен содержать 80 или 48 48 or 80 bytes > # openssl rand 48 > /etc/nginx/ssl/current.key > ssl_session_ticket_key /etc/nginx/ssl/current.key; > ssl_session_ticket_key /etc/nginx/ssl/prev.key; > ssl_session_ticket_key /etc/nginx/ssl/prevprev.key; > > # Use 2048 bit Diffie-Hellman RSA key parameters > # (otherwise Nginx defaults to 1024 bit, lowering the strength > of encryption # when using PFS) > # Generated by OpenSSL with the following command: > # openssl dhparam -outform pem -out > /etc/nginx/ssl/dhparam2048.pem 2048 > ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; > > # make the server choose the best cipher instead of the browser > # Perfect Forward Secrecy(PFS) is frequently compromised without > this > ssl_prefer_server_ciphers on; > > # support only believed secure ciphersuites using the following > priority: > # 1.) prefer PFS enabled ciphers > # 2.) prefer AES128 over AES256 for speed (AES128 has completely > adequate security for now) > # 3.) Support DES3 for IE8 support > > # disable the following ciphersuites completely > # 1.) null ciphers > # 2.) ciphers with low security > # 3.) fixed ECDH cipher (does not allow for PFS) > # 4.) known vulnerable cypers (MD5, RC4, etc) > # 5.) little-used ciphers (Camellia, Seed) > ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 > kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA > !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED'; > > ## OCSP Stapling > ssl_stapling on; > ssl_stapling_verify on; > ssl_protocols TLSv1.2 TLSv1.1 TLSv1; > > # Cache SSL Sessions for up to 10 minutes > # This improves performance by avoiding the costly session > negotiation process where possible > ssl_session_cache builtin:10000 shared:SSL:100m; > # ssl_session_timeout 5m; # this is a default, but can be changed > ssl_session_timeout 1h; > _______________________________________________ > nginx-ru mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-ru -- Regards, Konstantin _______________________________________________ nginx-ru mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-ru
